APIsec for Compliance officers

What middleBrick covers

Black-box scanning with no agents or code access
Risk scoring with prioritized findings in under a minute
Detection aligned to OWASP API Top 10 (2023), PCI-DSS 4.0, SOC 2
Authenticated scans with header allowlists and domain verification
Continuous monitoring with diff detection and HMAC-SHA256 webhooks
Programmatic access via CLI, API client, and GitHub Action

Purpose and workflow for compliance officers

This tool provides a consistent, automated method to assess external API surfaces against established control families. You submit a target URL, and within a minute the scanner returns a risk score and prioritized findings. The workflow is designed to fit into existing review gates, giving you evidence to discuss with development and audit teams without requiring code access or agents on the target system.

Mapping findings to compliance frameworks

findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For each finding, you receive context on which control or subcontrol the issue aligns with, including relevant requirement text where applicable. The scanner also aligns with security controls described in other regimes via a documented gap analysis, helping you prepare audit evidence while clearly stating that middleBrick is a scanning tool and not an auditor and cannot certify anyone.

Authenticated scanning and safe testing posture

Authenticated scans with Bearer, API key, Basic auth, and Cookie credentials are supported from Starter tier onward, gated by domain verification to ensure only the domain owner can scan with credentials. The scanner uses read-only methods plus text-only POST for LLM probes, and it enforces strict header allowlists. Sensitive infrastructure is protected by layered blocks for private IPs, localhost, and cloud metadata endpoints, ensuring no destructive payloads are ever sent.

Continuous monitoring and reporting for audits

Pro tier enables scheduled rescans every six hours, daily, weekly, or monthly, with diff detection to surface new findings, resolved findings, and score drift. You receive email alerts at a rate-limited cadence of 1 per hour per API, and HMAC-SHA256 signed webhooks notify systems with auto-disable after 5 consecutive failures. Reports include branded compliance PDFs and evidence-oriented findings that support audit trails without asserting certification.

Limitations and integration into your program

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not detect blind SSRF. It should not replace a human pentester for high-stakes audits. You can integrate via the CLI, GitHub Action, MCP Server, or API client to embed checks into CI/CD pipelines while retaining full control of scope and thresholds.

Frequently Asked Questions

Can I use authenticated scans for compliance evidence?

Yes, authenticated scans increase coverage by testing authorized endpoints. They require domain verification and are available from Starter tier onward, with findings mapped to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

How are false positives handled in reports?

Each finding includes contextual metadata such as request/response samples and mapping to specific controls. You can use this evidence to triage and validate findings with your team before closing items.

Does the scanner certify compliance status?

No. The scanner surfaces findings relevant to specific frameworks and helps you prepare audit evidence, but it does not certify, guarantee compliant, or claim to meet all requirements of any regulatory framework.

What happens to scan data after cancellation?